Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method comprising: receiving from a client device, by a policy enforcement system, a request for first data from a data node of a file system, the request including one or more user credentials that identify the client device and being sent by the client device based on receiving a customized redirect request from the policy enforcement system, the customized redirect request comprising a redirect request, received from a name node of the file system, to which the one or more user credentials have been appended by the policy enforcement system; intercepting, by the policy enforcement system, a communication from the data node to the client device, the communication containing the first data, the policy enforcement system storing a plurality of policies and data associating a plurality of user credentials with the plurality of policies; selecting, by the policy enforcement system, based on the user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the user credentials from the plurality of policies; filtering, by the policy enforcement system, the first data based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and sending the filtered data to the client device via the network.
2. The method of claim 1 , wherein at least one of the selected policies includes a predicate that determines whether the first data includes information that is to be filtered, and wherein the first data is filtered based on the predicate.
3. The method of claim 2 , wherein the information is a particular regular expression in a programming language.
4. The method of claim 1 , wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
5. The method of claim 1 , wherein the file system is a distributed storage comprising a plurality of slave nodes that store data and a master node that stores mapping of the data to the plurality of slave nodes, wherein the data node is a slave node.
6. The method of claim 5 , further comprising receiving, by the policy enforcement system, an identification of the data node from the master node and based on the first data requested by the client device.
7. The method of claim 1 , wherein the first data is organized by a table of columns and rows, wherein filtering the first data comprises: determining, based on the one or more policies associated with the user credentials, that one or more columns of the first data in the table are restricted; and masking the one or more columns, wherein the one or more columns include the one or more data entries.
8. A system comprising: a file system that stores data; and a policy enforcement system in communication with the file system, the policy enforcement system comprising: a processor, and a non-transitory computer-readable medium coupled to the processor and having instructions stored thereon, which, when executed by the processor, cause the processor to perform operations comprising: receiving from a client device, by the policy enforcement system, a request for first data from a data node of a file system, the request including one or more user credentials that identify the client device and being sent by the client device based on receiving a customized redirect request from the policy enforcement system, the customized redirect request comprising a redirect request, received from a name node of the file system, to which the one or more user credentials have been appended by the policy enforcement system; intercepting over a network, by the policy enforcement system, a communication sent via the network from the data node to the client device, the communication containing the first data, the policy enforcement system storing a plurality of policies and data associating a plurality of user credentials with the plurality of policies, selecting based on the user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the user credentials from the plurality of policies, filtering the first data based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data, and sending the filtered data to the client device via the network.
9. The system of claim 8 , wherein at least one of the selected policies includes a predicate that determines whether the first data includes information that is to be filtered, and wherein the first data is filtered based on the predicate.
10. The system of claim 9 , wherein the information is a particular regular expression in a programming language.
11. The system of claim 8 , wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
12. The system of claim 8 , wherein the file system is a distributed storage comprising a plurality of slave nodes that store data and a master node that stores mapping of the data to the plurality of slave nodes, wherein the data node is a slave node.
13. The system of claim 12 , wherein the operations further comprise receiving, by the policy enforcement system, an identification of the data node from the master node and based on the first data requested by the client device.
14. A computer-readable storage medium having instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising: receiving from a client device, by a policy enforcement system, a request for first data from a data node of a file system, the request including one or more user credentials that identify the client device and being sent by the client device based on receiving a customized redirect request from the policy enforcement system, the customized redirect request comprising a redirect request, received from a name node of the file system, to which the one or more user credentials have been appended by the policy enforcement system; intercepting over a network, by the policy enforcement system, a communication sent via the network from the data node to the client device, the communication containing the first data, the policy enforcement system storing a plurality of policies and data associating a plurality of user credentials with the plurality of policies; selecting based on the user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the user credentials from the plurality of policies; filtering the first data based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and sending the filtered data to the client device via the network.
15. The computer-readable storage medium of claim 14 , wherein at least one of the selected policies includes a predicate that determines whether the first data includes information that is to be filtered, and wherein the first data is filtered based on the predicate.
16. The computer-readable storage medium of claim 15 , wherein the information is a particular regular expression in a programming language.
17. The computer-readable storage medium of claim 14 , wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
18. The computer-readable storage medium of claim 14 , wherein the file system is a distributed storage comprising a plurality of slave nodes that store data and a master node that stores mapping of the data to the plurality of slave nodes, wherein the data node is a slave node.
19. The computer-readable storage medium of claim 18 , wherein the operations further comprise receiving, by the policy enforcement system, an identification of the data node from the master node and based on the first data requested by the client device.
20. The computer-readable storage medium of claim 14 , wherein the first data is organized by a table of columns and rows, wherein filtering the first data comprises: determining, based on the one or more policies associated with the user credentials, that one or more columns of the first data in the table are restricted; and masking the one or more columns, wherein the one or more columns include the one or more data entries.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 29, 2019
March 30, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.